Issuing New Certificates to Address Let's Encrypt CAA Rechecking Bug

Anthony Eden— 03 March 2020

Today Let's Encrypt announced that they would revoke a batch of certificates issued due to a bug in their CAA code. Let's Encrypt provided a list of all certificates impacted. After comparing this list to the Let's Encrypt certificates requested by DNSimple, we have found a small number of certificates that were issued to our customers that will be revoked.

We are addressing this issue by taking the following steps:

We will automatically request a new Let's Encrypt certificate for each affected certificate that Let's Encrypt will revoke and that was issued after January 1st, 2020.

We are publishing this blog post and will post to social media as well.

We will email the accounts that have certificates affected by this revocation with a list of impacted fully-qualified certificate names.

If you use our HTTPS redirector for URL forwarding then you will not need to take any action, our system will automatically handle the distribution of the new certificates and start using the new certificate as soon as it is issued. The revoked certificate will be ignored.

If you use one of the impacted Let's Encrypt certificates on servers you operate, then you will need to install the new certificate bundle once the certificate is issued. You will find the new certificate in your account. If you listen to our webhooks, we will be sending a certificate.issue with the new certificate once available in your account for download.

If you have any questions, please contact us and we will be happy to help.